Before working on these steps, please be sure you've set up the AWS S3.
Xembly uses CloudFront as a content delivery network (CDN) to ensure low latency for streaming video content. We also use CloudFront to sign our streaming URLs for greater security.
Go to the CloudFront Service in AWS and click
Create Distribution
. This will open a new page
Configure the fields below as follows:
Use the S3 bucket created earlier as the origin domain
Origin access should be "Origin access control settings (recommended - this ensures the URLs are signed)"
If you don't have any Origin access controls yet press the
Create control setting
button or select from the dropdown list an existing one
For default cache behavior, leave Path pattern as "Default (*)"
Compress objects automatically - "No"
Viewer protocol policy should be "HTTPS only"
Allowed HTTP methods - "GET, HEAD, OPTIONS"
Restrict viewer access - "No” (for now, we’ll change this later)
Cache policy - "CachingOptimizedForUncompressedObjects"
In Additional settings set Smooth streaming to "Yes"
WAF, edge location, custom domain name/SSL cert settings - we don't require them, use your own corporate preferences.
When done with all the previous steps:
Click
Create Distribution
. You will see a yellow banner up top that says, "The S3 bucket policy needs to be updated"Click
Copy Policy
and save the policy somewhere. We will need it for a later step
Creating Signing Keys
Since CloudFront is also used for signed URLs, you need to create a signing key and set up a trusted key group with this key in CloudFront (this allows you to rotate keys without temporarily losing access).
Click on the
Public Key
link in the left navigationYou will need to create a public/private key pair using open SSL and copy the public key into this page.
Pro Tip: You will need the private key in the Xembly Admin Dashboard so please save this somewhere for quick access.
Copy and paste the public key into the "Key field" and click
Create Public Key
.
Pro Tip: You will need the public key ID in the Xembly Admin Dashboard so please copy that information somewhere after you create it.
Next, we’ll need to create a Key Group. This will give you the ability to create and rotate new keys without temporarily disrupting service (you can add the new key while the old one is still active and only delete the old one when everything is configured).
On the left navigation click
Key Groups
andCreate Key Group
Name the key group and
select the public key we created before
Once we have our key group:
Go back to the distributions
Click the distribution we created earlier
Click
Behaviors
, select the current behaviorClick
Edit
From the edit screen, we want to change Restrict Viewer Access to
Yes
Keep the “Trusted key groups” selection and select the key group we previously created
Click
Save Changes
Thumbnail Support
The last step is adding another behavior with slightly different settings for showing thumbnails.
Open your distribution
Click on the
Behaviors
tabClick the
Create Behavior
button
Use the following settings:
Put "/thumbnails/*" in the Path pattern
Select your S3 bucket in the Origin and origin groups
Compress objects automatically - "No"
Viewer protocol policy - "HTTPS only"
Allowed HTTP methods - "GET, HEAD, OPTIONS"
Restrict viewer access - leave as "No" (note we use thumbnails in emails so they need to be public - this data is considered safe for unsigned URLs)
Cache policy - "CachingOptimizedForUncompressedObjects"
Click
Create Behavior
Once you’ve done all this click back into the distribution and capture the distribution domain name.
Pro Tip: Save off the distribution domain name. We’ll need it later in the Xembly Admin Dashboard.
Setting the S3 Bucket Policy
Remember earlier that we generated a bucket policy as part of our Cloudfront distribution setup.
Go back to
S3
Click on the bucket we created
Click
Permissions
Click
Edit
under "Bucket Policy"Copy and paste the policy we saved and click
Save Changes
Using AWS KMS
If you choose to use your own managed keys via KMS for encrypting the S3 bucket, there is some extra configuration required on the key policy to allow the IAM user we created and Cloudfront to use the keys
Follow these steps:
Open the KMS console in AWS
Click on the key you are using
Click
Edit
on the Key Policy
From there you’ll need to add the following two policy statements:
"Statement": [
{
"Sid": "Allow use of the key for app-xembly-user",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR IAM XEMBLY USER ARN>"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*"
},
{
"Sid": "AllowCloudFrontServicePrincipalSSE-KMS",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR AWS ACCOUNT ID>:root",
"Service": "cloudfront.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::<YOUR XEMBLY CLOUDFRONT DISTRIBUTION ARN"
}
}
}
]
More information can be found here.
Learn how to set up the Xembly Admin Panel with all the information you've saved to finish setting up Hybrid Cloud.